in reply to OT: Software & Liability

cjf ++

Life in the software industry is truly changing. tilly's trevails became quite real in a hurry. Plus, issues like the ones raised in this thread are quite real too, and becoming more mainstream. As we need to address these issues more and more, it looks like we'll need become much more sensitive to best practices and pushing to have a wider variety of talent involved in many projects. cjf, what were your conclusions about all this?

A good deal of this has gone on all along anyway. For instance, software running machine tools has been known to crash the tool into expensive stock, and the developer had to cover the cost (often a great deal of money) for the stock. This liability may often get handled out of court for customer-service and pubilicity reasons, but it's accountability nonetheless. I'm guessing that software improved thereafter, so it's reasonable to assume that this could work. But, given the legal system's inability to understand technology, it could also fail miserably.

Software development company lawyers must have worried about this from the start considering standard licensing phrases such as (paraphrased) "you're buying this license as-is". Additionally, many (most?) licenses claim liability only extends to the sales price of the software itself.

And then comes the argument "define fault". Could a CRM development company be sued for omitting a feature the industry accepted as a Best Practice? Is that faulty software? Can laws extend to software development companies in niche fields that assume those companies are 'professionals in the vertical field' each of their software's cover and they're therefore expected to know all the appropriate best practices?

Or is it more likely they will only be held liable if their product doesn't do something they said it would do, or something a reasonable buyer could reasonably expect it would do?

Or, should we expect and trust that any legislation would be sensible and apply reasonable standards only to instances of damages? (Man, would I hate to have to find those 12 jurors at this time, anywhere in the world, who could reasonably understand the problem.)

Also, there's quite a distinction between liability for security and liability for general quality eh? And considering that precisely defining those two concepts (for all time) is almost impossible since the problems those terms address are moving targets - well, given that the DMCA happened, I guess we could assume anything's possible in law-making.

If software or security liability becomes more of an insurance issue rather than statutory, it seems that open source products could benefit. If actuaries actually produce statistics that, say, Apache is more secure than, oh, some nondescript product like IIS, then insurance premiums would rule preemtively in many cases. The article indicates this may already be true.

Yup, things would change rapidly indeed. Less profitable? Absolutely, especially if the court was unclear about the findings. If they are instead knowledgable and specific about the faults and findings and companies knew what to do as a result, it wouldn't be quite so chaotic.

In most cases, just one unreasonably sized lawsuit could kill most software houses I'd guess. That would ruin the world in my view.

I hate muck-raking analogies like this; designed to inflame readers, with an over-simplified, wrongly generalized simili justified with something like "I'm just making it more real to my readers - making it so they can understand it." It's simply obfuscation. (Note, the article's author made no such justifying statement in the article.)

I looked up Mr. Banisar and found something about him here. While I sympathize with his interests in privacy issues, it seems clear that he's into social responsibility issues and legislative cures, at least on this issue. I wonder what pissed him off? In that same article he writes, "It is time to start considering imposing some legal liability when companies release products that have gaping security holes in them." One can easily sympathize with the problem. However, I'd be much happier letting courts continue their routine handling of brought complaints, evolving with and learning the issues, than having some un-named entity "start considering imposing" anything.

I wonder if open source projects would find some kind of solace in the already commercialized arguments like 'there's nobody to call for support', 'they aren't professionals', 'you get what you pay for'; these could all work to the advantage of open source. Commercial entities have already admitted these things, and maybe the 'nobody there to sue' concept would win out. Plus, 'you have the code, you got it free, you can fix it' may come up.

OTOH, if legislation occurred, that would instantly make or reinforce a market for commercial entitires offering pro support for open source products (along with their insurance policies in full force).


I'm a cynic in the face of legislative cures. My bias is showing...